Information security risk management
Overview
The company has established an Information Security Management Organization responsible for formulating information security policies, planning security measures, and executing related information security operations. Starting from March 2023, the company began implementing ISO 27001 (ISMS) to establish a more effective information security management system. The verification process is expected to be completed by April 2024.
 
Information Security Management Organization
The Company has formed an Information Security Committee, with the Chief Information Security Officer serving as the convener and the head of the Information Security and Information Management Department serving as the management representative. The committee coordinates information security policy management, information security operations, information security architecture, information security risk management, and compliance audit control.



Information Security Committee Management Representative Information Security Audit Team Information Security Execution Team Emergency Tasks

The Information Security Policy is formulated by the Information Security Committee in accordance with the requirements of ISO 27001 and the guidelines for listed and OTC (Over-The-Counter) information systems. The content includes guidelines for the use of information equipment, password usage, company email usage, internet usage, information processing, software usage and licensing, deployment principles for antivirus and data leak prevention software, remote access guidelines, and information security incident management guidelines. The Information Security Committee also conducts regular annual reviews of the content of the information security policy, having convened 12 times in the year 2023.

The organization adopts the PDCA (Plan-Do-Check-Act) cycle management to ensure the goals are achieved and improved upon on an ongoing basis.
 
 
Information security policy Management Objectives:
1. Conduct information security education and training to promote awareness among employees and enhance their understanding of related responsibilities.
2. Safeguard the information related to the company's business activities, preventing unauthorized access and modifications to ensure its correctness and completeness.
3. Regularly perform audits and technical reviews to ensure the proper implementation of relevant operations.
4. Ensure that the critical core systems of the company maintain a certain level of system availability.
 
Information Security Infrastructure and Management Practices
1. Cybersecurity Intelligence
The company is a member of the Taiwan Computer Emergency Response Team (TWCERT) and the Science Park Information Sharing and Analysis Center (SP-ISAC). It regularly receives cybersecurity intelligence and participates in relevant cybersecurity seminars. By receiving Indicators of Compromise (IOC) early in the intrusion detection process, the company can proactively add relay station IP addresses to the firewall, implementing protective measures in advance to reduce the likelihood of attacks.
 
2. Computer Virus Protection:
Endpoint protection software is installed, automatically updating virus definitions, and conducting regular full hard drive scans. This ensures the blocking of the latest known viruses and detects and prevents the installation behavior of potentially threatening system executables.
 
3. Network Security Management:
• Firewall networks are established to block unauthorized intrusion attempts. Information operations tools monitor network service conditions, and any suspicious behavior is immediately redirected to an isolated network segment, denying access to the company's network services.
• An internet proxy server is set up to filter content and block high-risk websites, protecting the privacy and security of employees' internet access. To some extent, this helps prevent network attacks.
 
4. System Access Control:
Access control management practices allow only authorized personnel to access systems. System permissions are granted only after approval from the relevant authority, and periodic reviews ensure the reasonableness of permissions, protecting the digital information space.
 
5. Business Continuity Operations:
Combining preventive and restorative control measures, the company mitigates the impact of information business disasters or failures to an acceptable level based on the importance and impact of business processes, in line with information operations management goals.
 
6. Regular Social Engineering Drills and Training:
Regularly conducting social engineering awareness tests, supported by statistical systems reporting from the backend. This evaluates user awareness of email social engineering and their knowledge of cybersecurity policies. Security awareness campaigns and information security education and training are organized to ensure that personnel are aware of correct operational procedures and overall protection concepts, promoting employee awareness of information security and enhancing their understanding of related responsibilities.